Electronic Fund Transfer Act Shifts Risk to Banks
Article by Richard L. Santalesa
Just a step below widows and orphans on the sympathy scale, at least when it comes to ripoffs and theft, sit school districts, boards and local municipalities.
And in a era of tight budgets, when school districts are robbed of tax monies from halfway around the world via ACH/wire fraud, state and federal politicians take notice.
After the Duanesburg Central School District in upstate New York, a district with 1,000 students and an annual budget of approximately $15 million, suffered a brazen cybertheft of $3 million in December 2009, which eventually left the school district potentially on the hook for over $400K of un-recovered funds (details about the Duanesburg cybertheft here and here and here), the District approached State officials on the issue (here) and then federal representatives, including Senator Schumer.
While the New York Senate passed S7323/Foley earlier this year, which would have established a "School District Financial Security Task Force" with a mission to "develop guidelines for school districts to protect school district funds deposited with banks and other financial institutions from adverse consequences such as theft and cyber-theft," NY Governor Patterson vetoed the bill, apparently on fiscal grounds.
However, up at the federal level Senator Schumer recently picked up the district's mantle to introduce S.3898, a bill "to amend the Electronic Fund Transfer Act to treat municipalities and school districts as consumers for certain purposes under that Act," as codified at 15 U.S.C. §1693a, and to require the Board of Governors of the Federal Reserve System to issue final rules on defining "municipality" and "school district" for purposes of section 903 [codified at 15 U.S.C. §1693a] of the EFTA.
Boiled down, S.3898 essentially modifies FDIC Regulation E implementing portions of the EFTA to extend the $50 limitation of loss from ACH/wire fraud currently covering individual consumers to school districts and municipalities.
Notably in a Senate still dominated by 57 democrats, Senator Schumer stands as S.3898's sole sponsor headed into a lame-duck session of Congress that is likely to see the House, and possibly the Senate, change hands. (InfoLawGroup partner David Navetta recently also commented on S.3898's prospects at BankInfoSecurity.com here.)
The Security Landscape
While dismay and outrage at cyberthefts has built steadily, many felt that a Rubicon of sorts was finally crossed in 2010 as the use and reach of the Zeus Trojan built to a crescendo.
Indeed, the FBI announced less than two weeks ago, on Oct. 1, that it broke a multi-country cybertheft ring that had been using Zeus Botnets in various attempts to steal $220 million from accounts.
Before the FBI disrupted the ring it nevertheless managed to abscond with $70 million. (See FBI Nat'l Press Office, Oct. 1, 2010, "International Cooperation Disrupts Multi-Country Cyber Theft Ring" here; see also "How the Fraud Works", here).
In response, months before Schumer's introduction of S.3898, an alphabet soup of federal and state agencies, including the U.S. Secret Service, Financial Services Information Sharing and Analysis Center (FS-ISAC), New York State Intelligence Center (NYSIC), New York State Police, and New York State Office of Homeland Security, released on March 12, 2010 a Cyber Security Advisory entitled Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks, available here.
The March 2010 Advisory contains a series of best practices, including enterprise recommendations, user recommendations, financial institution recommendations for users, and financial institution specific recommendations.
It's still too early to tell whether S.3898 represents a true push by Congress to shift the risk of loss in such ACH/wire fraud scenarios from school and municipalities onto the banking community, or is merely a warning shot across the bow of the banking industry designed to spur the industry into battening down ACH hatches.
In my view the latter is more probable, at least at this time - given Congress' preoccupation with other fiscal matters, the lame duck session around the corner, and the fact that Senator Schumer's name alone appears as the sole sponsor, despite his individual prominence.
However, the banking industry is certainly taking notice and promising to work towards a satisfactory compromise.
Cross-posted from InfoLawGroupNote: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.